Signal the ATT&CK: Part 2
05 July 2018
Using orchestration and automation to enhance EDR capabilities, and to reduce ‘alert fatigue’
Earlier this year, we released part 1 of our ‘Signal the ATT&CK’ article, where we presented how we are incorporating the adversary knowledge within the MITRE ATT&CK™ matrix to enhance our threat hunting techniques within the Tanium platform, in part using a Threat Response feature known as Signals.
Part 2 is now live, in which we explore security orchestration and automation (collectively referred to as orchestration) and its use in enhancing the efficiency of our Endpoint Detection and Response (EDR) capability. We achieve this by streamlining and automating slow, manual tasks and transforming them into repeatable, scalable processes.
The orchestration workflows we have developed in Apache NiFi address two main behaviours and pain-points that will resonate with many security teams:
- Alert overload - Commonly referred to as ‘alert fatigue’, this is where analysts are inundated with detections. Ultimately, this leads to an increase in operational risk due to detections being overlooked; and,
- Frustration of manual enrichment - Having to manually lookup indicators against threat intelligence datasets, and manually pull related endpoint artefacts.
By setting our approach, we demonstrate how orchestration acts as a layer of connective tissue within our threat detection ecosystem, allowing us to automate the flow of data between systems and execute decisions. We also hope to demonstrate how you can improve your organisation’s endpoint threat detection capability.
For more information on how we can help your organisation, please contact Paul Bottomley and Wietze Beukema.